Darktrace Model Breach
| Id | a3c7b8ed-56a9-47b7-98e5-2555c16e17c9 |
| Rulename | Darktrace Model Breach |
| Description | This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes. |
| Severity | Medium |
| Required data connectors | DarktraceRESTConnector |
| Kind | NRT |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml |
| Version | 1.0.0 |
| Arm template | a3c7b8ed-56a9-47b7-98e5-2555c16e17c9.json |
darktrace_model_alerts_CL
| where dtProduct_s =="Policy Breach"
| extend EventCount = 1
| extend EventType = "NetworkSession"
| extend EventSchema = "NetworkSession"
| extend EventSchemaVersion = "0.2.2"
| extend EventResult = "Success"
| extend DvcAction = "Allow"
| project-rename EventSeverity=score_d
| extend EventVendor = "Darktrace"
| extend EventProduct = "Enterprise Immune System"
| project-rename EventStartTime = breachTime_s
| extend EventEndTime = EventStartTime
| project-rename NetworkRuleName=modelName_s
| project-rename NetworkRuleNumber=pid_d
| extend Rule = "NetworkRuleNumber"
| project-rename ThreatId=threatID_d
| extend ThreatName = NetworkRuleName
| project-rename ThreatCategory=dtProduct_s
| extend ThreatRiskLevel=EventSeverity
| extend ThreatCategory=Category
| extend ThreatCategory=replace_regex(ThreatCategory, @'Informational', @'Low')
| extend ThreatCategory=replace_regex(ThreatCategory, @'Compliance', @'Informational')
| extend ThreatCategory=replace_regex(ThreatCategory, @'Suspicious', @'Medium')
| extend ThreatCategory=replace_regex(ThreatCategory, @'Critical', @'High')
| project-rename SrcIpAddr=SourceIP
| project-rename SrcHostname=sourceHost_s
| project-rename SrcMacAddr=sourceMac_s
| project-rename SrcPortNumber=sourcePort_s
| project-rename DstIpAddr=destIP_s
| project-rename DstPortNumber=destPort_s
| project-rename DstHostname=destHost_s
| project-rename DstMacAddr=destMac_s
queryFrequency: 5m
entityMappings:
- entityType: Host
fieldMappings:
- columnName: SrcHostname
identifier: HostName
- entityType: IP
fieldMappings:
- columnName: SrcIPAddr
identifier: Address
severity: Medium
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
relevantTechniques:
query: |
darktrace_model_alerts_CL
| where dtProduct_s =="Policy Breach"
| extend EventCount = 1
| extend EventType = "NetworkSession"
| extend EventSchema = "NetworkSession"
| extend EventSchemaVersion = "0.2.2"
| extend EventResult = "Success"
| extend DvcAction = "Allow"
| project-rename EventSeverity=score_d
| extend EventVendor = "Darktrace"
| extend EventProduct = "Enterprise Immune System"
| project-rename EventStartTime = breachTime_s
| extend EventEndTime = EventStartTime
| project-rename NetworkRuleName=modelName_s
| project-rename NetworkRuleNumber=pid_d
| extend Rule = "NetworkRuleNumber"
| project-rename ThreatId=threatID_d
| extend ThreatName = NetworkRuleName
| project-rename ThreatCategory=dtProduct_s
| extend ThreatRiskLevel=EventSeverity
| extend ThreatCategory=Category
| extend ThreatCategory=replace_regex(ThreatCategory, @'Informational', @'Low')
| extend ThreatCategory=replace_regex(ThreatCategory, @'Compliance', @'Informational')
| extend ThreatCategory=replace_regex(ThreatCategory, @'Suspicious', @'Medium')
| extend ThreatCategory=replace_regex(ThreatCategory, @'Critical', @'High')
| project-rename SrcIpAddr=SourceIP
| project-rename SrcHostname=sourceHost_s
| project-rename SrcMacAddr=sourceMac_s
| project-rename SrcPortNumber=sourcePort_s
| project-rename DstIpAddr=destIP_s
| project-rename DstPortNumber=destPort_s
| project-rename DstHostname=destHost_s
| project-rename DstMacAddr=destMac_s
id: a3c7b8ed-56a9-47b7-98e5-2555c16e17c9
triggerOperator: gt
version: 1.0.0
eventGroupingSettings:
aggregationKind: AlertPerResult
customDetails:
SrcMacAddr: SrcMacAddr
EventTitle: NetworkRuleName
EventStartTime: EventStartTime
DstHostname: DstHostname
EventSeverity: EventSeverity
EventID: ThreatId
DstIpAddr: DstIpAddr
EventMessage: Message
description: |
'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'
queryPeriod: 5m
alertDetailsOverride:
alertSeverityColumnName: ThreatCategory
alertDescriptionFormat: '{{description_s}}'
alertTacticsColumnName:
alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}'
requiredDataConnectors:
- connectorId: DarktraceRESTConnector
dataTypes:
- darktrace_model_alerts_CL
name: Darktrace Model Breach
tactics:
kind: NRT
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a3c7b8ed-56a9-47b7-98e5-2555c16e17c9')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a3c7b8ed-56a9-47b7-98e5-2555c16e17c9')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Nrt",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Darktrace Model Breach",
"description": "'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'\n",
"severity": "Medium",
"enabled": true,
"query": "darktrace_model_alerts_CL\n| where dtProduct_s ==\"Policy Breach\"\n| extend EventCount = 1\n| extend EventType = \"NetworkSession\"\n| extend EventSchema = \"NetworkSession\"\n| extend EventSchemaVersion = \"0.2.2\"\n| extend EventResult = \"Success\"\n| extend DvcAction = \"Allow\"\n| project-rename EventSeverity=score_d\n| extend EventVendor = \"Darktrace\"\n| extend EventProduct = \"Enterprise Immune System\"\n| project-rename EventStartTime = breachTime_s\n| extend EventEndTime = EventStartTime\n| project-rename NetworkRuleName=modelName_s\n| project-rename NetworkRuleNumber=pid_d\n| extend Rule = \"NetworkRuleNumber\"\n| project-rename ThreatId=threatID_d\n| extend ThreatName = NetworkRuleName\n| project-rename ThreatCategory=dtProduct_s\n| extend ThreatRiskLevel=EventSeverity\n| extend ThreatCategory=Category\n| extend ThreatCategory=replace_regex(ThreatCategory, @'Informational', @'Low')\n| extend ThreatCategory=replace_regex(ThreatCategory, @'Compliance', @'Informational')\n| extend ThreatCategory=replace_regex(ThreatCategory, @'Suspicious', @'Medium')\n| extend ThreatCategory=replace_regex(ThreatCategory, @'Critical', @'High')\n| project-rename SrcIpAddr=SourceIP\n| project-rename SrcHostname=sourceHost_s\n| project-rename SrcMacAddr=sourceMac_s\n| project-rename SrcPortNumber=sourcePort_s\n| project-rename DstIpAddr=destIP_s\n| project-rename DstPortNumber=destPort_s\n| project-rename DstHostname=destHost_s\n| project-rename DstMacAddr=destMac_s\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": null,
"techniques": null,
"alertRuleTemplateName": "a3c7b8ed-56a9-47b7-98e5-2555c16e17c9",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertSeverityColumnName": "ThreatCategory",
"alertDisplayNameFormat": "Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}",
"alertTacticsColumnName": null,
"alertDescriptionFormat": "{{description_s}}"
},
"customDetails": {
"SrcMacAddr": "SrcMacAddr",
"EventTitle": "NetworkRuleName",
"EventStartTime": "EventStartTime",
"DstHostname": "DstHostname",
"EventSeverity": "EventSeverity",
"EventID": "ThreatId",
"DstIpAddr": "DstIpAddr",
"EventMessage": "Message"
},
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "SrcHostname"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SrcIPAddr"
}
]
}
],
"templateVersion": "1.0.0",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml"
}
}
]
}